1. Field of the Invention
This invention generally relates to digital communications and, more particularly, to an inline packet encryption and decryption system capable of handling multiple independent packet streams using a single shared higher speed encryption engine
2. Description of the Related Art
In a conventional system-on-chip (SoC), the Ethernet networking interface can be configured as either a small number of high speed interfaces or a larger number of slower speed interfaces. For example, a particular SoC may support configuration as a single 10 gigabits per second (Gbps) Ethernet port, or four 1 Gbps Ethernet ports, with both configurations sharing the interface pins, a common system side interface, and a shared internal data path, and other acceleration capabilities such as TCP/UDP checksum processing, packet classification, etc. Such an SoC may additionally support inline Internet protocol security (IPsec) and IEEE 802.1AE (MACsec) processing as well.
Many architectures dedicate encryption and decryption engines to each port, which increases die size. Dedicated encryption/decryption engines result in poor overall resource utilization since only the high speed interfaces or the low speed interfaces can be used at any one particular moment. However, both interfaces cannot be used simultaneously, since they share interface pins, system interface, and other acceleration capabilities.
FIG. 1 is a diagram depicting a plurality of packets pending at different SoC input/output (IO) ports (prior art). Other architectures may share the same encryption and decryption engine between the two configurations. In this case, an arbitration scheme is implemented to switch between one port (e.g., one of the lower speed ports) to encrypt or decrypt a packet on that port, and then switch to another port that may have a pending packet. Since packet sizes can vary, each low speed port must provide enough buffering for the largest size packet, in case all ports receive packets simultaneously. This buffering must be at least as large as the largest supported packet size, plus the number of ports, times the time taken to encrypt/decrypt the largest supported packet size. This additional buffering is necessary to handle the case where all ports receive the largest packet size at the exact same time, and the last port to get serviced must wait till all other port packets have been processed.
Typically, additional buffering is necessary in order to overcome arbitration latencies and other processing inefficiencies. For example, if a 10 Gbps encryption/decryption engine is being shared between 10 Ethernet ports, each running at 1 Gbps, and all ports support 9.6 kilobyte (Kbyte) Jumbo frames, then each port must provide at least 19.2 Kbytes of buffering at the input in order to guarantee that all packets can be processed by the shared encryption/decryption engine without experiencing buffer overflow conditions.
Another drawback is that while the encryption/decryption engine operates at a 10 Gbps throughput, each outgoing low speed port may only be able to process the data at 1 Gbps. Since the encryption/decryption engine operates 10 times faster, each low speed port must also provide an output buffer into which it can store the results of the encryption/decryption engine so that its buffers do not overflow. For example, the transmit direction of the 1 Gbps Ethernet port only transmits packets at 1 Gbps, but the encryption engine writes data into the output buffer at 10 Gbps. Thus, in addition to requiring large input buffering per port, an additional minimum of output buffering per slow speed output port is also required. Therefore, in a system that has ten 1 Gbps Ethernet ports, the total minimum buffering required is:10 (ports)×2 (input buffer+output buffer)×2 (receive path+transmit path)×19.2 Kbytes=768 Kbytes of memory.
It would be advantageous if an encryption or decryption engine could be shared between multiple ports while minimizing the amount the required buffer memory.